SQOL injection protection? #12
Comments
|
SOQL, does not have the ability to perform DML against the database. This means that records cannot be modified via SOQL. This should take the majority of the risk out of injection attacks. Really, the only risk would be that someone is able to query some extra fields on a record. SF does not provide anything like prepared statements. As of now, I believe this library does not integrate injection protection. Though as stated previously, this should be a relatively small problem. See the following Salesforce article relating to this exact subject: https://developer.salesforce.com/docs/atlas.en-us.pages.meta/pages/pages_security_tips_soql_injection.htm |
|
Maybe it helps someone, I used this library to prevent injections: https://github.com/forcedotcom/go-soql |
Setting up usage of this library, one of my security helpers pinged that the library encourages the use of sprintf-style formatting for SQOL query construction. Is that secure? Does Salesforce provide something like prepared statements? Does this library have a way to do query construction in a safer way than just escape-and-hope?
The text was updated successfully, but these errors were encountered: